Blippy credit card info exposed to identity theft on Google

Blippy credit card info exposed on Google set up 127 Blippy members for the easiest identity theft in the history of the Internet. Flickr photo.

The Blippy credit card info exposed on Google is way too much information. Blippy invites users use the social networking service to tell their friends about what they buy online. Venturebeat reported Friday that at least one person figured out how to find Blippy members’ credit card numbers on Google. A search VentureBeat calls “fairly obvious” returned 127 results that included full credit card numbers. The Blippy disaster came just one day after Blippy announced it got $11.2 million in instant money from venture capitalists and basked in the attention of a profile in the New York Times.

Blippy sneaks credit card info from Amazon

Blippy credit card info exposed on Google confirms the worst fears of Blippy skeptics who wonder why anyone would want to accept a Blippy invite to share personal details about online shopping habits. The New York Times profile by Brad Stone reported that Amazon.com blocked Blippy invite code allowing people share Amazon purchases. The Blippy invite opened last fall and attracted 125,000 visitors in March. These numbers may have been achieved, in part it appears, through sneaking around Amazon by soliciting Blippy members for access to their Gmail accounts and taking the purchase data from e-mailed Amazon receipts.

Blippy invite code backfires

Blippy credit card info was exposed on Google when Blippy programmers apparently flunked HTML 101. Elanor Mills at CNET News reports that the problem grew from an oversight during the company’s beta test months ago. Blippy had no idea that raw credit card data was viewable in the HTML source of its pages. The data was removed, but for some reason it still shows up in the Google cache. Blippy co-founder Philip Kaplan told Mills that “Unfortunately, the incident was from early in our testing phase when we were just beginning to develop Blippy. We are working hard to bolster our security and make sure it’s stronger, including getting third-party audits from security experts and other measures to make sure this doesn’t happen again.”

Is Blippy an identity theft engine?

Blippy users actually link their credit cards to the Blippy site. When people link their credit cards to Blippy, merchants pass along their raw transaction data – including credit card numbers. Blippy claims to delete all data except the merchant and money spent. VentureBeat reporters determined that the Blippy credit card info exposed on Google are Citibank-issued MasterCard numbers. These 127 unfortunate Blippy users, and perhaps the whole naive bunch of them, appear to be sitting ducks for identity thieves ready to steal their money now.